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-The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
THE REPLY FILED 30 March 2007 FAILS TO PLACE THIS APPLICATION IN CONDITION FOR ALLOWANCE. 

1 . ^ The reply was filed after a final rejection, but prior to or on the same day as filing a Notice of Appeal. To avoid abandonment of 

this application, applicant must timely file one of the following replies: (1 ) an amendment, affidavit, or other evidence, which 
places the application in condition for allowance; (2) a Notice of Appeal (with appeal fee) in compliance with 37 CFR 41.31; or (3) 
a Request for Continued Examination (RCE) in compliance with 37 CFR 1.1 14. The reply must be filed within one of the following 
time periods: 

a) O The period for reply expires months from the mailing date of the final rejection: 

b) ^ The period for reply expires on: (1) the mailing date of this Advisory Action, or (2) the date set forth in the final rejection, whichever is later. In 

no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of the final rejection. 

Examiner Note: If box 1 is checked, check either box (a) or (b). ONLY CHECK BOX (b) WHEN THE FIRST REPLY WAS FILED WITHIN 

TWO MONTHS OF THE FINAL REJECTION. See MPEP 706.07(f). 
Extensions of time may be obtained under 37 CFR 1.136(a). The date on which the petition under 37 CFR 1.136(a) and the appropriate extension fee 
have been filed is the date for purposes of determining the period of extension and the corresponding amount of the fee. The appropriate extension fee 
under 37 CFR 1.17(a) is calculated from: (1) the expiration date of the shortened statutory period for reply originally set in the final Office action; or (2) as 
set forth in (b) above, if checked. Any reply received by the Office later than three months after the mailing date of the final rejection, even if timely filed, 
may reduce any earned patent term adjustment. See 37 CFR 1.704(b). 
NOTICE OF APPEAL 

2. □ The Notice of Appeal was filed on . A brief in compliance with 37 CFR 41 .37 must be filed within two months of the date of 

filing the Notice of Appeal (37 CFR 41 .37(a)), or any extension thereof (37 CFR 41 .37(e)), to avoid dismissal of the appeal. Since 
a Notice of Appeal has been filed, any reply must be filed within the time period set forth in 37 CFR 41 .37(a). 
AMENDMENTS x 

3. □ The proposed amendment(s) filed after a final rejection, but prior to the date of filing a brief, will not be entered because 

(a) D They raise new issues that would require further consideration and/or search (see NOTE below); 

(b) D They raise the issue of new matter (see NOTE below); 

(c) □ They are not deemed to place the application in better form for appeal by materially reducing or simplifying the issues for 

appeal; and/or 

(d) D They present additional claims without canceling a corresponding number of finally rejected claims. 

NOTE: . (See 37 CFR 1.1 16 arid 41.33(a)). 

4. □ The amendments are not in compliance with 37 CFR 1.121. See attached Notice of Non-Compliant Amendment (PTOL-324). 

5. □ Applicant's reply has overcome the following rejection(s): . 

6. □ Newly proposed or amended claim(s) would be allowable if submitted in a separate, timely filed amendment canceling the 

non-allowable claim(s). 

7. ^ For purposes of appeal, the proposed amendment(s): a) □ will not be entered, or b) ^ will be entered and an explanation of 

how the new or amended claims would be rejected is provided below or appended. 
The status of the claim(s) is (or will be) as follows: 

Claim(s) allowed: . 

Claim(s) objected to: . 



Claim(s) rejected: 1.3-9.11-14.16 and 18-29 . 

Claim(s) withdrawn from consideration: . 

AFFIDAVIT OR OTHER EVIDENCE 

8. □ The affidavit or other evidence filed after a final action, but before or on the date of filing a Notice of Appeal will not be entered 

because applicant failed to provide a showing of good and sufficient reasons why the affidavit or other evidence is necessary and 
was not earlier presented. See 37 CFR 1.116(e). 

9. □ The affidavit or other evidence filed after the date of filing a Notice of Appeal, but prior to the date of filing a brief, will not be 

entered because the affidavit or other evidence failed to overcome all rejections under appeal and/or appellant fails to provide a 
showing a good and sufficient reasons why it is necessary and was not earlier presented. See 37 CFR 41.33(d)(1). 

10. □ The affidavit or other evidence is entered. An explanation of the status of the claims after entry is below or attached. 
REQUEST FOR RECONSIDERATION/OTHER 

11. [gj The request for reconsideration has been considered but does NOT place the application in condition for allowance because: 

See Continuation Sheet. 

12. □ Note the attached Information Disclosure Statement(s). (PTO/SB/08) Paper No(s). 

13. □ Other: . 
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Continuation of 1 1 . does NOT place the application in condition for allowance because: 

Referring to claim 1 , Applicant argued that Barzilai fails to teach or suggest the following limitations: (i) Barzilai fails to teach or 
suggest that the privacy policy associated with a node that contains user private information includes a rule that references and comprises 
at least one action associated with that resource (Applicant's argument, Page 1 1 Lines 2-5). 

In response, it is pointed out that Barzilai teaches said limitations in Paragraph 0013 as "A basis privacy policy is defined for a 
root node in the structure, typically the enterprise home page Preferably, this basic policy applies to all of the nodes in the structure. 
Additional privacy rules are defined for other nodes in the hierarchy. The privacy policy for any given node is determined by combining the 
privacy policy of its parent node with the additional privacy rules defined for the node itself. Thus, the level of privacy provided for user 
information typically increases as the user progresses deeper into the hierarchy and is asked to submit additional personal information or 
to authorized additional uses of information already submitted. This pattern of graduated privacy is useful particularly in e-commerce 
applications, wherein a user must generally submit only limited, non-sensitive private information to browse a Web site, but is then 
prompted for increasingly sensitive information when he or she submits a product inquiry to the site and subsequently places an order. 
The hierarchical organization simplifies maintenance of the privacy policies by the EPM, as well as facilitating user interaction in 
connection with policy notice and consent". 

Additionally, Applicant argued that Barzilai fails to teach or suggest that a privacy policy includes a condition that places a 
constraint on the at least one action within rule. In response, it is pointed out that Paragraph 0013 of Barzilai discussed above that rules 
reference actions which are associated with resources. Additionally, Barzilai teaches that a privacy policy includes a condition that places 
on the at least one action within rule in Paragraph 0070 as "A user request handler 46 manages privacy-related interactions with site 
users, such as supplying policy information retrieved by policy engine 42, and collecting data to be passed to personal information engine 
44. Handler 46 preferably carries out these functions by interaction with P3P agent 40"; in Paragraph 0071 as "An administrator request 
handler 48 retrieves policies from policy engine 42 and enables the administrator, using tool 32, to add new policies and update existing 
policies maintained by the policy engine. Preferably, tool 32 comprises an application programming interface (API), which also enables the 
administrator to implement customized privacy management functions" ; and in Paragraph 0072 as "An application request handler 50 
receives and processes information requests from application 36 and returns information that is provided by personal information engine 
44, to the extent permitted by privacy policies. Preferably, application 36 is programmed by application owner 34 to interact with handler 
50 using an API that is supplied for this purpose. The API enables the application owner to build privacy handling into the application in a 
straightforward way that is compatible with the interface provided by handler 50". 

Additionally Applicant argued that Barzilai fails to teach or suggest that the privacy policy includes a subject that defines a 
collection of users to whom the policy definition applies (Applicant's argument Page 12). In response, it is pointed out that Barzilai 
teaches said limitations in Paragraph 0014 as "policy to different type of users". 

Finally, Applicant argued that Barzilai fails to teach or suggest that the privacy policy includes a referral that identifies a second 
decision point to which the evaluation of the privacy policy is delegated (Applicant's argument, Page 12, second paragraph). In response, 
it is pointed out that Paragraph 0013 (in contrast to applicant's reference to paragraph 0012) of Barzilai teaches the limitation as "The 
privacy policy for any given node is determined by combining the privacy policy of its parent node with the additional privacy rules defined 
for the node itself. Thus, the level of privacy provided for user information typically increases as the user progresses deeper into the 
hierarchy and is asked to submit additional personal information or to authorized additional uses of information already submitted. This 
pattern of graduated privacy is useful particularly in e-commerce applications, wherein a user must generally submit only limited, non- 
sensitive private information to browse a Web site, but is then prompted for increasingly sensitive information when he or she submits a 
product inquiry to the site and subsequently places an order". This recitation of Barzilai clearly teaches that there are decision points in 
the hierarchy and each higher level acts as a second decision point to the lower level. As the user goes progresses deeper into the 
hierarchy, more and more decision points are encountered and more credentials and personal information are asked for. Nodes a level 
thus delegates the evaluation of the privacy policy to the decision point at that level, which asks for access requests from users 
progressing from lower levels to that particular level. 



2 



